[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-comment] STiX 2.0 Cyber-Observable Objects definition
On 07.06.2017 14:14:44, Palmer, Cliff A. (NE) wrote: > The STIX Version 2.0, Part 4: Cyber Observable Objects document > mentions that the cyber-observable objects included in STIX 2.0 > "represent a minimally viable product". > > The latest schema I have seen specifies 18 cyber-observable objects. > Prior CyboX versions had specifications for something in the > neighborhood of 90 CyboX objects. > > Is there a roadmap which identifies the future STIX version which > will contain the specification for each of the remaining > cyber-observable objects? > Hi, Cliff - While the CybOX 2.1 data model included about 90 objects, in practice most of these weren't used. As we began the effort of refactoring CybOX 3.0 (since incorporated into STIX 2.0 as STIX Cyber Observables), we decided that the most prudent course of action would be to focus our efforts on the CybOX objects people were actually using. We wanted to take this decision based on real-world data. Trouble was, the vast majority of this data was locked up inside various private information-sharing communities (e.g., ISACs and ISAOs). So we created an open-source tool called cti-stats [1] which these private sharing communities could run against their data and get sanitized statistical output. We took great care in this effort, being sensitive to the need to safeguard the confidentiality of participants. This dataset was then aggregated. The results are available here [2]. If you look at that data, you'll see that the vast majority of the CybOX 2.1 objects weren't in use. One can speculate as to whether this was due to a) some of the objects being overly complicated and hence difficult to use, b) a reflection of the overall maturity of current information-sharing practices, or c) a combination of the two. Regardless, it was clear that we should focus our initial efforts on refactoring the objects in actual use. As we iterate towards the STIX 2.1 release, the CTI TC STIX Cyber Observables subcommittee is working to expand the data model. Our roadmap is still evolving but the CTI TC cover page [3] documents the current state. Whether we wind up replicating all of the 90+ objects that were in the CybOX 2.1 data model is an open question. Our efforts are focused on what the CTI TC community needs and which people are willing to contribute time and effort towards developing. This is, after all, primarily a volunteer-driven community effort. If there are particular CybOX 2.1 constructs which you need or want that are currently missing from STIX 2.0, we invite you to join the OASIS CTI TC and help us to flesh those out. Please don't hesitate to reach out to me privately if you have questions about how to engage with our standards process. [1]: https://github.com/Soltra/cti-stats [2]: https://cyboxproject.github.io/cti-stats/ [3]: https://docs.google.com/document/d/1yvqWaPPnPW-2NiVCLqzRszcx91ffMowfT5MmE9Nsy_w/edit#heading=h.rnemfnrew1l4 -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works." --RFC 1925
Attachment:
signature.asc
Description: Digital signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]